[libvirt PATCH v2 14/20] commandhelper: Make number of fds variable in printInput

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Fixes a buffer overflow triggered when more than three "--readfd"
arguments were given on the command line.

Signed-off-by: Tim Wiederhake <twiederh@xxxxxxxxxx>
---
 tests/commandhelper.c | 27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/tests/commandhelper.c b/tests/commandhelper.c
index 8a9a3c96a0..ac64505461 100644
--- a/tests/commandhelper.c
+++ b/tests/commandhelper.c
@@ -204,13 +204,23 @@ static int printCwd(FILE *log)
 static int printInput(struct Arguments *args)
 {
     char buf[1024];
-    struct pollfd fds[3];
-    char *buffers[3] = {NULL, NULL, NULL};
-    size_t buflen[3] = {0, 0, 0};
+    struct pollfd *fds = NULL;
+    char **buffers = NULL;
+    size_t *buflen = NULL;
     int ret = -1;
     size_t i;
     ssize_t got;
 
+    if (!(fds = calloc(args->numreadfds, sizeof(*fds))))
+        goto cleanup;
+
+    /* plus one NULL terminator */
+    if (!(buffers = calloc(args->numreadfds + 1, sizeof(*buffers))))
+        goto cleanup;
+
+    if (!(buflen = calloc(args->numreadfds, sizeof(*buflen))))
+        goto cleanup;
+
     if (args->close_stdin) {
         if (freopen("/dev/null", "r", stdin) != stdin)
             goto cleanup;
@@ -292,8 +302,15 @@ static int printInput(struct Arguments *args)
     ret = 0;
 
  cleanup:
-    for (i = 0; i < G_N_ELEMENTS(buffers); i++)
-        free(buffers[i]);
+    if (buffers) {
+        char **ptr;
+        for (ptr = buffers; *ptr; ptr++)
+            free(*ptr);
+    }
+    free(fds);
+    free(buflen);
+    free(buffers);
+
     return ret;
 }
 
-- 
2.26.2




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux